took some time to speak to Elle Todd and Rob Bratby from law firm Olswang to understand the implications of Safe Harbour, the EU-US Privacy Shield and the EU's General Data Protection Regulation.

Jamie Davies

August 3, 2016

7 Min Read
Data, data everywhere and not a minute to think

The last twelve months has been somewhat of a roller coaster ride for anyone involved in the business of data, and who knows what else is around the corner.

From Safe Harbour through to Privacy Shield to the EU’s General Data Protection Regulation, the sub-sector promises to be a minefield for some, and a gold mine for others. For anyone managing customer data, the risks associated with non-compliance could be a substantial financial burden, though it does hold the potential to create a new and potentially lucrative sub-sector in the IT industry.

“For the IT world this could be year 2000 all over again,” said Rob Bratby, Partner at law firm Olswang. “Anyone who gets it right has a message which they can broadcast far and wide; it could potentially be a differentiator for customers who are becoming much more sensitive to the way data is being handled.”

While the saga has been rolling for years, the most recent challenges begun last October with the European Commission striking down the Safe Harbour agreement, under the premise it didn’t provide enough protection to European customers. This in itself was a bold move from the European Court of Justice simply because there wasn’t a safety net in place. Safe Harbour was the mechanism, and there was little else to support it.


Olswang Partners Elle Todd And Rob Bratby


“It was a surprise for many people, and some were caught out,” said Elle Todd, Partner and Head of Digital and Data at Olswang. “These companies had to put in substantial overtime to put in place model clauses to fill a gap with Safe Harbour had filed previously.

“There were also a number of organizations that had seen it as a possibility, though they didn’t anticipate it was going to happen that fast. These are companies which had some fail safes in place, so the impact wasn’t as bad. It was a surprise when it happened, mainly because it was literally over night, that strong statement was a shock to people.”

The initial move from the European Court of Justice attracted numerous headlines, primarily because it was a definite statement to influential companies and individuals in the US. If you want to play in the EU, you have to do it by our rules. Despite the ruling being part of a greater effort to protect European consumers, it also impacted a number of organizations who fell short of regulatory expectations, resulting in fines and outcry for a mechanism which provided appropriate guidelines to how organizations should manage the flow of data between the EU and the US.

Several months later, the EU-US Privacy Shield appeared, which was once again caught the industry by surprise, but for less damning reasons, especially when you consider there will be a new president in US in the next few months, and likely a new data policy.

“As there hasn’t been any guidance on what either policy will be, most people assumed there would be a pause on Privacy Shield, and the EU would wait until the new executive outlined their plans but actually it’s been a very separate process,” said Todd.

“In terms of the US context, what is interesting is the very emotive language in the campaigns about surveillance. There’s a lot of discussion in popular media with regard to relationships with Russia and China, and security of communications, it’s one of the first elections where these discussions and debates are right at the forefront.

“This is a direct response from the Snowdon fallout. Everyone cares so much about security now it has become a political issue. How that relates to policy we don’t know, as right now it’s about emotive language in the campaign as opposed to any hard-line policy. It will be interesting to see how this feeds through.”

The speed of the EU-US Privacy Shield is another area which has concerned numerous industry commentators. While the need for mechanism to underpin the transfer of data across the Atlantic is not under question, the robustness of the agreement is still under question.

Last month the European Data Protection Supervisor Giovanni Buttarelli outlined his concerns over its effectiveness, Article 29 Working Group said the agreement did not address mass surveillance and oversight, as well as privacy activist Max Schrems claiming the agreement is nothing but a re-heated version of Safe Harbour. A policy of this stature will always draw criticism from various corner of the industry, some stating it hasn’t gone far enough, and some stating its gone too far. What could be considered concerning is the reputation of those who have been vocal.


“There are questions how robust privacy shield is because it involves setting up a new oversight mechanism, ultimately we don’t know in practise how effective that is going to be,” said Todd.  “Organizations can’t simply rely on Privacy shield now, for most it’s a case of having another mechanism they can use in addition to model clauses or BCR. It would be quite unusual now for people to rely solely on Privacy Shield as a sole mechanism now, in the way they used to rely solely on Safe Harbour.”

In short, the fallout and penalties following the downfall of Safe Harbour were too much for organizations to consider relying on a single mechanism for future business. Organization will not be removing the interim model clauses that are now in place, instead Privacy Shield will be used as a layer within the administration alongside model clauses and BCR, to ensure these organizations are as well protected as possible.

The long-term impact, and robustness, of Privacy Shield will be seen in the coming months however both the telco operators and enterprise IT now also have the concern of the EU’s General Data Protection Regulation to add into the mix. It has certainly been a busy couple of months for the European Commission.

Organizations now have up until May 2018 to ensure compliance under the new regulations, a move which some industry commentators believe will be a trying journey. Dependent on whom you speak to between 50% and 80% of the industry have a lot of work to do to ensure compliance.

“Probably a very high percentage, as it is a new set of regulations; the number of accountability requirements is significantly higher than what is in place today,” said Todd. “Organizations aren’t doing that today because they don’t need to, but they have until May 2018 to put this documentation in place. I have no surprise at all that such a high number of companies are non-compliant currently, but they don’t need to be yet.”

“From a telecoms industry, one of the big challenges for the telcos is that they have a lot of legacy systems in place, particularly around customer management, but also when they have grown through acquisition,” said Bratby. “These systems for the most part are incapable of being upgraded to be GDPR compliant. As organizations begin to understand the risks from GDPR non-compliance, in the telco space this will drive a lot of people looking at these systems and fundamentally rethink how they deal with customer data. In the telco industry, we could see numbers as high as 85% plus non-compliance to GDPR at the moment.”

The question is whether GDPR will have more of an impact on the telco operators or enterprise IT organizations.

“Any telco who is dealing with retail customers, GDPR is going to have a big impact,” said Bratby. “I’d be surprised if anybody is actually compliant, simply because it is not the way IT systems are designed at the moment. The requirements for privacy by design and default, is simply not the way an IT system has been implemented.”

Data protection, data residency and data regulation are likely to be terms which will be thrown around the industry for some time. For the moment, there is still too much uncertainty, too many unknowns and opinion is too polarized. Any major decisions are likely to be heavy scrutinized, heavily supported, heavily criticized and quickly challenged. It’s currently a complicated arena.

And all this before we know the outcome of the US presidential election or the long-term data policy of one of the most powerful countries in the world of telecoms and technology.

Read more about:


You May Also Like